Deconstructing the Ransomware Kill Chain (Part 2 in a Series on Ransomware)
Updated: Jul 24
In our last blog, The Proliferation of Ransomware, we covered the ransomware business and its continual growth at the expense of beleaguered enterprise networks and individual victims. We mentioned that by design, ransomware is a relatively “noisy” form of malware and its kill chain presents multiple opportunities for network defenders to successfully detect and mitigate this type of threat. To effectively mitigate this type of threat we must first understand the behavior of ransomware by examining its kill chain or stages.
In this blog post we are analyzing the cyber kill chain of a widespread crypto-ransomware named TeslaCrypt. The TeslaCrypt 3.0 variant is an offspring of CryptoLocker and was initially identified to encourage recipients to follow URLs hosted on potentially malicious pages. When a victim arrives at the compromised page, they are redirected to the malware, TeslaCrypt. This malware is often delivered via the Angler exploit kit, but has been documented to be delivered via other outlets such as phishing email attachments, compromising an existing legitimate website, malvertising, and less commonly through a phone call.
With increasing coverage of the ransomware threat in the news and in marketing campaigns, ransomware is shaping up to be the top marketed threat in 2016. In order to be able to implement successful defense mechanisms against the rising ransomware threat, we must first understand how ransomware operates from the very beginning stages up to the ransom request and payment. It is essential to map out the steps of the ransomware intrusion to better understand the malware itself and map controls to it. A cyber kill chain is a model for the identification and prevention of cyber intrusion activity. The model identifies what the adversaries must complete in order to achieve their objective. Although not all ransomware variants behave identically in their execution, we are able to develop a basic structure of a common ransomware attack:
Step 1: Recon
Attacker gathers information on the target; this can be accomplished by looking at publicly available information on the web or social engineering techniques. This is completed before the actual attack and can be either active or passively occurring behind the scenes. For most ransomware attacks, the victims are not specifically targeted and therefore may not be subject to reconnaissance in a traditional sense. However, some ransomware gangs do scan and identify vulnerable organizations in order to target them for attack. Additionally, in the broader context of the cybercrime marketplace, cybercriminals are constantly performing reconnaissance to identify vulnerable infrastructure that can be adapted for different needs throughout the stages of the malware kill chain.
Step 2: Weaponization
Attacker creates a malicious exploit to send to the victim. This step also happens behind the scenes at the attacker side without contact with the victim. Examples include an exploit kit that profiles victim computers in order to deliver specific exploits that they are vulnerable to, and an Office document with a malicious macro that can be sent as an email attachment.
Step 3: Delivery
Attacker uses bait to launch the attack; this can be achieved by sending the payload to the victim via phishing emails, links, infected attachments, malicious ads, or a compromised website. Currently 93% of all phishing emails is ransomware, making it the most widespread malware variant in payload delivery. Despite the rigorous anti-phishing training provided to employees by some IT departments, social engineering is still a highly successful method. If the user takes the “bait” from one of the intrusion methods used by the attacker by following a link or opening a malicious attachment, the next stage is triggered.
Figure 1: Ransomware phishing email. Currently 93% of all phishing emails is ransomware, the most widespread method in ransomware payload delivery. Credit: http://www.tgsoft.it/immagini/news/TeslaCrypt/20160208_TeslaCrypt_30_Email_DHL.PNG
Step 4: Installation or Exploitation
Installation is relevant when the attacker uses malware as part of their attack. The victim clicks or opens the malicious file, which executes the malware onto the user’s device. In many situations the victim is not aware that the malware is being executed and that the device is becoming infected.
Step 5: Key Exchange and Call Home (Command and Control)
A command and control (C&C) channel is created to enable attacker control of his internal assets remotely and can be set up months in advance or on the fly. After the execution of the malware and system infection, the malware reaches out or “calls home” to the server in order to generate and retrieve a key pair. Unlike the public key in an asymmetric key encryption scheme, only the holder of the paired private key can decrypt the file system. The encryption keys are received from the server in order for the files to be encrypted and then later decrypted with the same key pair after the victim has paid the ransom. Note that not all ransomware reaches out to the C&C server for the encryption key, as the encryption keys may be generated locally on the machine, depending on the ransomware variant.
Figure 2: The malware sending the initial C2 call back HttpSendRequest with encrypted data to retrieve the IP address and keys. Credit: https://www.threattrack.com
Step 6: Encryption and Persistence
After the initial execution of the ransomware on the machine, the malware begins to search for files matching extensions that are hardcoded into the malware’s list of file extensions. Ransomware recursively performs these searches on any mounted drive, whether a local drive, USB drive, network share, etc. When the files matching the extensions are found, a temporary file is created to encrypt the original file content. The original file is then overwritten and replaced by the corresponding encrypted file to restrict access. This method effectively blocks the data from the victim. The file extensions hardcoded into the malware generally include over 300 target file extensions, ensuring that every useful file on the machine is encrypted in the process. The malware leverages a persistence technique such as creating registry entries to enable it to run at startup as well as in Safe Mode to continue its encryption upon restart of the system.
Figure 3: TeslaCrypt sample scans and checks if the system already has a recovery key, and generates necessary encryption keys if it doesn’t. These keys are used in the encryption routine. Credit: https://www.threattrack.com
Figure 4: TeslaCrypt sample leveraging a persistence technique by creating an auto start registry entry allowing it to execute on startup to continue its encryption routine upon restart of the system. Credit: Author
Step 7: Ransom and Extortion
After the encryption process is complete, to regain access to the data the attacker requests payment to decrypt the data with their unique decryption key. The request is commonly made via a window popup following the encryption process notifying the victim of the encryption of their data. Within this popup window the victim will find instructions to submit payment, including URLs for creating a Bitcoin wallet and submittal of payment, commonly over the Tor anonymous network at a .onion web address. Note that paying the ransom payment does not guarantee the attacker will hold their end of the deal.
Figure 5: TeslaCrypt masquerading as CryptoLocker. Following the encryption of the data a request is made via a window popup notifying the victim of the encryption of their data, payment instructions, and URLs for creating a Bitcoin wallet and submittal of payment. Credit: Author
Understanding each stage of the ransomware kill chain allows us to determine what countermeasures and defense techniques can be put in place at various stages of the process. In our next blog post we will cover effective defense techniques and countermeasures for each step as well as the decryption process once the system has already been encrypted.
Polito, Inc. offers a wide range of security consulting services including penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.